Abstract

This paper will examine the threat profile of a whistleblower
by defining it as a distinct threat and examining the motivations and risks behind
this threat. The whistleblower poses an internal threat to the information infrastructure
of a given entity. This threat shares similarities with other types of internal
threats (i.e. consultants, insiders, etc.) due to the level of access the whistleblower
possesses. Whistleblowers differ from other internal threats because of the type
of information they are interested in and their motivations in compromising it.
Understanding the specific threat the whistleblower presents can assist in protecting
information infrastructure by allowing entities to prepare policy that focuses on
limiting the risk from this profile. It is important to note that the legitimacy
of a whistleblower's intentions or claims is not pertinent for the purposes of this
paper. This paper seeks only to examine the threat that the whistleblower presents
to information infrastructure.

Definition of a Whistleblower

The American Heritage Dictionary defines whistleblower (also
whistle blower; whistle-blower) as: "One who reveals wrongdoing within an organization
to the public or to those in positions of authority."[1]
There is much disagreement surrounding the etymology of the term whistleblower.
Some have attributed the term to early police use of whistles as warning signals.
Others have theorized the term comes from locomotive trains sounding a warning of
their impending arrival.[2] What is certain is that
the term hearkens back to a time before digital communication systems were pervasive,
when whistles were a more commonly used technique to communicate to others across
short distances. In contrast, today's advances in digital communication have changed
the way we communicate by giving us unprecedented, instant access to data.

To identify the term whistleblower as a threat to modern information
systems we must first understand the term as it relates to those information systems.
Dr. Fred Cohen, Principal Member of Technical Staff for Scandia National Laboratories,
has defined a whistleblower as "People who believe that crimes are being committed
and that they have a duty to report them to the proper authorities." He further
adds that "Whistle blowers are often sincere in their beliefs, have insider access,
and sometimes have legitimate cases."[3]

Whistleblowers share similarities with many other threat profiles.
Many threats to information infrastructure involve gaining access to proprietary
information for the purposes of sharing that information with others. For example,
an activist can also be a whistleblower, such as when biologist, Samuel LaBudde,
filmed dolphins that were dying in fishing nets while he was working undercover aboard
a tuna boat.[4] Reporters are also well known for
whistleblowing. In 1999, an undercover reporter went public after he obtained a
job at London's Heathrow airport by falsifying his name and background. He reportedly
gained access to many restricted areas.[5] For the
purposes of this paper, what differentiates the whistleblower from the activist or
the reporter (et. al.) is the idea that a whistleblower has a legitimate level of
access (i.e. via a job or position), which they may later choose to exceed or violate,
before they decide to become a threat.

However, insiders and consultants also have a certain legitimate
level of access to information. What differentiates a whistleblower from these internal
threat profiles is their motivation and, therefore, the type of information compromised.
The whistleblower seeks to expose what they perceive is illegal activity on the
part of the entity in possession of the information. Therefore, the whistleblower
will be primarily concerned with gathering evidence to support their allegations
rather than other kinds information.

An Example from the Tobacco Industry

In 1995, Dr. Jeffery Wigand, former Vice President of Research
and Development for Brown & Williamson Tobacco Corporation, went public with information
alleging that the company knew for decades that smoking caused health problems and
that nicotine was addictive. Brown & Williamson had officially denied for years
that tobacco use was unhealthy or addictive.

Wigand was hired in January of 1989 by B&W. According to Wigand
he was hired to conduct research to develop a safer cigarette.[6]
Wigand began to become disillusioned when, he claims, B&W attorneys began censoring
meeting minutes and other company documents to excise any company acknowledgments
that tobacco use caused health problems. Wigand testified that company attorneys
claimed such acknowledgments could be damaging in product liability litigation involving
B&W.[7]

Wigand also claims that he became concerned about the company's
use of a tobacco additive called coumarin. Coumarin was a flavoring added to enhance
the taste of tobacco. Dr. Wigand claimed he was concerned over studies linking coumarin
to liver tumors in mice and a variety of other cancers. According to Wigand he expressed
his concerns to senior management stating, "I could not in conscience continue with
coumarin in a product that we now know, have documentation that is lung-specific
carcinogen."(sic)[8] Wigand claims that Thomas Sandefur,
then President/CEO for B&W, told him, "...that we would continue working on a substitute
and we weren't going to remove it because it would impact sales and that, that was
his decision."[9] Wigand objected the decision and
claims that he was eventually terminated because of his opposition to the company's
continued use of coumarin.[10]

Missed Opportunities for Brown & Williamson

Prior to his termination, Wigand decided to collect B&W internal
memoranda and other information. Although he had signed confidentiality agreements,
he used the company's information system to collect data to be used against the company.
He also began keeping written records chronicling his dealings with B&W. After his
termination, Wigand leaked some of this information to the press demonstrating B&W
had knowledge of the ill effects of smoking on health, that they manipulated nicotine
levels to increase its delivery to the brain, and that they knowingly added unsafe
chemicals to tobacco.[11] On October 9, 1995, stories
based on this information ran in the Wall Street Journal and The Washington Post.
Both publications ran articles quoting B&W internal documents.[12]

The implications of this information leak have had far reaching
implications for the entire tobacco industry. Dr. Wigand has since testified against
tobacco interests in class action lawsuits. Many B&W trade secrets and technologies
have been made public via court documents, providing competitive intelligence to
its competitors. The tobacco industry has lost a stunning series of court decisions.
Some tobacco companies have acknowledged their products cause health problems.
The industry has been forced to make many concessions regarding regulation of their
products.[13] While all of these changes in the industry
cannot be attributed solely to the whistleblowing activity of Dr. Wigand, he certainly
made an important contribution to the political milieu that lead to these changes
in the tobacco industry.

Dr. Wigand compromised the information infrastructure of Brown
& Williamson by leakage of confidential information. Brown & Williamson alleges
he violated confidentiality agreements and information protection policies in doing
so.[14] It appears B&W relied too heavily on enforcing
confidentiality agreements (Wigand signed several of these)[15]
and not enough on limiting its exposure in other ways.

Alternative Strategies

Much of the significance of the threat Dr. Wigand posed to B&W
was due to his high level of access to the company's data. Wigand was a vice president.
He had access to all of the company's medical research. At that level there is
not much chance to compartmentalize information thus limiting its exposure. For
example, a researcher conducting a study of the effects of coumarin on mice possesses
data that could be damaging to the company. If that is the limit of the researcher's
perspective on the data, then the information is compartmentalized and limited in
its scope. Because the researcher lacks the perspective that a broader base of information
provides, the scope of the potential damage the information can cause is limited.
However, if the researcher has access to a wide body of data concerning a variety
of studies, the information becomes more damaging because the level of evidence increases.
Moreover, if the researcher has access to senior officials in the company and has
first hand knowledge about their decisions to ignore or obfuscate the body of research
data, the potential level of damage the information leak presents reaches staggering
proportions. This was the case with Dr. Wigand. Due to his position as Vice President
of Research and Development, it would have been difficult for him to perform his
duties without access to all of the available research data. Therefore, compartmentalizing
the information was probably not a practical option.

Another protection option is an effective security alert system.
Ira Winkler, an expert regarding corporate espionage, advises that a security alert
system can facilitate identification of potential threats:

"People have to know who to tell when they discover
potential security problems. The only thing most people think to do is tell their
supervisor. If they have a bad relationship with the boss, they might be disinclined
to bring up a problem. If they do tell their supervisor, then the supervisor must
know what to do with that information."[16]

Company officials eventually identified Dr. Wigand as a threat
and terminated his employment, probably falsely believing that they were adequately
protected by confidentiality agreements. By the time B&W terminated Dr. Wigand,
he had already collected the damaging information. If the company had an effective
security alert system designed to help detect threats at the early stages, they may
have been able to limit Dr. Wigand's damage.

Once a person has been identified as a potential threat it allows
the opportunity to observe the subject's computer use. Digital data can be loaded
onto a diskette, hidden on the hard drive of a laptop, or even emailed through the
company's firewall. Most companies retain the right to examine employee usage of
its computer systems. By being alerted to a potential threat a security team can
observe Internet traffic, emails, faxes, and what internal files the subject is accessing.
This may help to identify suspicious behavior. Audit logs are an invaluable resource
to provide information about computer use and file access.[17]

Other methods of removing documentation include physically removing
documents. Documents can be copied and carried out in a briefcase, but this method
is a bulky alternative to removing the data in digital form. One method to help
detect this threat is to monitor use of copy machines. Simply installing a counter
can alert managers to Unusual levels of usage. Many copy machines today can track
usage by requiring the input of a departmental number.[18]
By examining these records for suspicious activity B&W may have been able to identify
the threat earlier.

Conclusion

The Brown & Williamson Tobacco Company was not prepared for
the assault on their proprietary information. They appeared to rely solely on confidentiality
agreements to protect themselves and control their data. While confidentiality agreements
are a good practice, no information security program should rely on only one method
of protection. The confidentiality agreements did not work because the allegations
of illegal activity exempted Dr. Wigand from adhering to the non-disclosure agreements.
This left B&W with little protection.

A balanced and coordinated information security policy would
have probably helped them to better control their data. They did not take advantage
of other information controls such as security alert response plans, audit logs,
and other precautions common to well-rounded information protection programs. By
not actively managing their information security program, they were forced to be
reactive rather than proactive.

According to Dr. Fred Cohen, "Because the value of information
is pervasive in modern life, so must be its protection. Anywhere valuable information
goes, protection must also go. That means that everyone who deals with valuable
information must also be involved in the information protection function at some
level."[19] It is clear that B&W did not maintain
a pervasive information security posture in this situation.